Symantec On-Demand Protection 2.6 Juniper IVE SSL VPN 5.2 Integration Guide

Symantec On-Demand Protection 2.6 Juniper IVE SSL VPN 5.2 Integration Guide

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide ii

Preface Copyright Information: Symantec Corporation Copyright 2003-2006 by Symantec Corporation. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic, mechanical, or otherwise, without prior written permission of Symantec Corporation. Information in this document is subject to change without notice and does not constitute any commitment on the part of Symantec Corporation. Symantec Corporation may own patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter of this document. Furnishing of this documentation does not in any way grant you a license to any patents, trademarks, copyrights, or other intellectual property of Symantec Corporation. Symantec, Symantec Secure Enterprise, and the Symantec S Logo are registered trademarks or trademarks of Symantec Corporation. Microsoft and Windows are registered trademarks of Microsoft Corporation. All other companies and product names referenced herein may be trademarks or registered trademarks of their respective holders. iii

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Copyright Information: Juniper Networks, Inc. Copyright (c) 2004-2006 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5GT ADSL, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen- 5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc. 1194 N. Mathilda Ave., Sunnyvale, CA 95014 ATTN: General Counsel iv

Preface Table of Contents Product Overview... 1 Background...1 Symantec Products...1 Symantec On-Demand Manager...1 Symantec On-Demand Agent...2 Juniper Products...2 NetScreen Instant Virtual Extranet...2 NetScreen Secure Access Appliance...2 Supported Configurations...3 How Symantec and Juniper Products Work Together...3 Basic Integration Steps...4 System Requirements...4 Symantec On-Demand...4 Juniper SSL VPN...4 NetScreen Appliance Prerequisites...5 Secure Application Manager and Network Connect Roles...5 128-Bit Encryption...6 Symantec Support...6 Third-Party Product Support...6 Two Integration Methods...7 API Method...7 Custom User Interface Method...7 API Integration...9 Step 1: Use Symantec On-Demand Manager to Create Files...9 Prerequisites...9 Install the On-Demand Manager...9 Display the Partner Integration Button...9 Procedure...11 Configure and Export Virtual Desktop URL...11 Step 2: Use Juniper IVE Console to Upload Files...14 Prerequisites...14 Procedure...14 Step 3: Configure the NetScreen Secure Access Appliance...16 Prerequisites...16 Procedures...16 Create the Authentication Realm...17 Configure the Sign-in URL...19 Configure the Host Checker and Role Mappings...21 Custom User Interface Integration... 25 Step 1: Use Symantec On-Demand Manager to Create Files...25 Prerequisites...25 Symantec...25 Juniper...25 v

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Procedures...25 Configure URLs...26 Set Up Policies for Export...27 Step 2: Create Custom UI and Upload Files to Appliance...28 Prerequisites...28 Procedures...28 Create Custom UI...29 Edit Custom UI...30 Edit Pre-5.0 ZIP File Contents...31 Upload Custom UI...32 Step 3: Configure the NetScreen Secure Access Appliance...33 Prerequisites...33 Procedures...33 Configure Host Checker Policy...34 Create Two Different Realms...39 Create the Insecure Realm...39 Create the Secure Realm...41 Configure the Secure Realm...43 Configure User Authentication Realms: Host Checker Tab...43 Configure User Authentication Realms: Role Mapping Tab...45 Create Two Different Sign-In Policies...48 Create Insecure Sign-In Policy...48 Create Secure Sign-in Policy...50 vi

Product Overview Juniper Networks NetScreen Secure Access appliances, combined with Symantec On- Demand Agents, help enterprises to secure applications by ensuring the integrity of endpoints and protecting the data that is transmitted to them. This combination also enables the encryption of data that is transmitted, as well as removal of data upon disconnect. Background The fundamental shift from client-server to Web-based applications has changed the way employees, business partners, customers, and suppliers access and utilize corporate information. In a client-server world, corporate information is protected by securing corporate-owned devices and authenticating the user. In contrast, clientless Web-based applications and services can be accessed from any computer, including employee-owned computers, airport kiosks, hotel business center computers, and supplier systems. On these third-party-owned computers, the corporate security organization cannot verify the security of that computer, protect the information provided by the Web application, erase the information at session termination, or protect the entire session from malicious code. Symantec Products Symantec On-Demand Manager The Symantec On-Demand Manager secures Web applications by ensuring the integrity of endpoints and protecting the data that is transmitted to them. This is done through providing the Symantec On-Demand Agent via automatic download at the time of connection to the enterprise Web portal. Administrators use the Symantec On-Demand Manager to configure the Agent to implement a coordinated set of modules and options. 1

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Symantec On-Demand Agent The Symantec On-Demand Agent is downloaded to the endpoint from the SSL VPN appliance at connection time, eliminating the need to have pre-installed client software to secure data on third-party-owned systems. The connection is only allowed if the endpoint is fully compliant with security policy and the appropriate On-Demand data protection components are in place. Symantec On-Demand works seamlessly to protect endpoints connecting to: Webmail SSL VPNs portals financial, health care and human resources applications ERP systems Juniper Products NetScreen Instant Virtual Extranet The IVE Platform is the foundation of the NetScreen Secure Access family of SSL VPN appliances, as well as the Remote Access and Secure Meeting appliances. The NetScreen Instant Virtual Extranet (IVE) platform is the software foundation of NetScreen s hardened Application Security Gateways and enables appliances to plug seamlessly into an enterprise s existing security infrastructure. NetScreen Secure Access Appliance The NetScreen Secure Access (NS-SA) appliances provide a complete range of enterpriseclass scalability, high availability, and security functionality for customers seeking to costeffectively extend secure access to network resources. Customers benefit from the ubiquity that SSL VPNs are known for, as well as from the redundancy and scalability provided by clustering these devices. 2

Product Overview Supported Configurations The current implementation of the Symantec On-Demand/Juniper SSL VPN integration supports the following configurations: Integration Type Partner Integration (API Method) Custom User Interface Supported Modules Symantec Virtual Desktop only All Symantec On-Demand modules (Adaptive Policies, Cache Cleaner, Host Integrity, Virtual Desktop, Malicious Code Prevention /Application Control and Connection Control) Other module combinations (for example, using both the Symantec and the Juniper Cache Cleaners) may provide some functionality but have not been tested or verified and thus are not officially supported. How Symantec and Juniper Products Work Together Administrators use the Symantec On-Demand Manager to configure one or more modules (Virtual Desktop, Host Integrity, and Cache Cleaner) to be uploaded to the Juniper appliance. Once these modules are configured, the administrator uses the On-Demand Manager to create a folder containing the Symantec On-Demand Agent files. The Symantec On-Demand Agent folder is then uploaded to the NetScreen Secure Access appliance. When a user connects to the appliance, the Symantec On-Demand Agent is installed and launched on the endpoint. The Agent then launches the module(s) that were configured using the On- Demand Manager. If Host Integrity was configured, then the Agent verifies the integrity of the endpoint. If Virtual Desktop was configured, then a Virtual Desktop session is established. The Agent then launches the login process to the IVE. The user is authenticated and authorized by an LDAP or authorization server, or by the IVE s own internal authentication database. Once authorized, the user can then access corporate resources such as e-mail or corporate servers as defined in the resource policies on the IVE. 3

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Basic Integration Steps The list below details the basic steps required to integrate Symantec On-Demand functionality with the Juniper appliance. This document covers only the steps that are shaded. The other steps are explained in the Symantec and Juniper documents noted below. Install and configure the Symantec On-Demand Manager on a workstation. See the Symantec On-Demand Administration Guide for complete instructions. Install and configure the NetScreen Secure Access appliance. See the Juniper documentation for your appliance for complete instructions. Use the Symantec On-Demand Manager to create and configure Symantec On- Demand modules, and then write them to.zip files. Use one of the two integration methods (Custom UI or API) to upload the.zip files to the NetScreen Secure Access appliance. Configure the NetScreen Secure Access appliance to deploy Symantec On-Demand. Test. See NetScreen Instant Virtual Extranet Platform Administration Guide for complete instructions. System Requirements Symantec On-Demand For complete information about the system requirements for Symantec On-Demand Manager or Symantec On-Demand Agent, please see Minimum Installation Requirements in the Symantec On-Demand Administration Guide. Note: as a prerequisite to installing the Symantec On-Demand Manager, you must install the Java Runtime Environment (JRE) version 1.4.2 or later. If you need to download and install the required version of JRE, go to http://java.sun.com, navigate to Downloads, and click Java VM. Juniper SSL VPN Please see the NetScreen Instant Virtual Extranet Platform Administration Guide for complete information about minimum requirements. 4

Product Overview NetScreen Appliance Prerequisites Secure Application Manager and Network Connect Roles Before you can implement either the API or Custom UI version of the Symantec/Juniper integration, at least one role must exist on the NetScreen Secure Access appliance. Because many users are likely to want access to the IVE s Secure Application Manager and Network Connect features, we will create roles in this example that will provide access to these features. These roles will be called JSAM and Network Connect. Please note that these roles are provided as examples only; these specific roles are not required to implement the Symantec/Juniper integration. The JSAM role will provide access to the Java version of Secure Application Manager. See the NetScreen Instant Virtual Extranet Platform Administration Guide s Secure Application Manager Overview section for complete information about this feature. The Network Connect role (which exists on the appliance by default) provides access to the IVE s Network Connect feature, which is described in NetScreen Instant Virtual Extranet Platform Administration Guide s Network Connect Overview. To create the roles, perform the following steps. 1. Log on to the appliance as an administrator. 2. On the appliance s administration console, select Users Roles. The Roles screen appears. 3. Click the New Role button, name the new role JSAM, and use the various menus available to enable the settings shown for JSAM in the figure above. See NetScreen 5

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Instant Virtual Extranet Platform Administration Guide s Configuring the SAM Page for complete information. 4. Because the Network Connect role is created by default, it will probably already be present on your appliance. If it is not, repeat step 3 for Network Connect (see the NetScreen Instant Virtual Extranet Platform Administration Guide s Configuring the Network Connect Page for complete information. 128-Bit Encryption The Juniper IVE appliance requires that you use a browser that offers 128-bit rather than 40-bit encryption to access the IVE s SSL VPN. You can also specify 168-bit encryption. Browsers that meet the IVE security requirements for Core functionality include Internet Explorer 5.5+, Netscape Communicator 4.7+, Mozilla 1.6 and Safari 1.0, 1.1, and 1.2. For information about browser requirements for Advanced functionality, please see Juniper's Platform Guide: IVE Supported Platforms, OS Service Package Version 4.2, NetScreen-SA Product Line. Symantec Support Symantec Corporation provides a wide variety of service and Support programs. Contact Enterprise Support through its web site, by email, or by telephone. Web site: support.sygate.com Email address: Syg_EnterpriseSupport@symantec.com Toll free number: (877) TECH-800 (832-4800) Int'l Toll free number: +0 800 8324-8000 Third-Party Product Support If you obtained this product from a hardware or software company other than Symantec Corporation directly, your software license as well as all service and support should be obtained through that vendor. Check the Addendum provided with the package for service and support information. 6

Two Integration Methods There are two basic methods you can use to integrate the Symantec On-Demand functionality with the NetScreen Secure Access appliance. One uses a built-in Host Check Client Interface to manage the integration, and the other uses a customized user interface based on templates to accomplish the same goal. You need to choose which integration method to use. The advantages and limitations of each method are listed below. API Method The Partner Integration button in the Symantec On-Demand makes it easy to upload the Symantec On-Demand Agent to the NetScreen Secure Access appliance. If the Partner Integration button does not appear, follow the steps in Display the Partner Integration Button on page 9 to display it. This release of the integration supports only the Symantec On-Demand Virtual Desktop module. Custom User Interface Method Uses the existing set of customizable templates within the NetScreen Secure Access appliance to upload Symantec On-Demand. Requires several steps to upload Symantec On-Demand to the appliance and to configure the appliance to deploy the On-Demand module(s). Enables the use of any or all of the Symantec On-Demand modules. Requires the Advanced license for NS-SA appliances. Can also be implemented on Secure Meeting appliances, but not on Remote Access appliances. 7

8

Host Checker API Integration API Integration Step 1: Use Symantec On-Demand Manager to Create Files This section describes how to use the Symantec On-Demand Manager to configure the Virtual Desktop module. Later sections describe how to upload the module to the NetScreen Secure Access appliance and how to configure the appliance to deploy Symantec On-Demand. Prerequisites Install the On-Demand Manager The instructions that follow assume that the Symantec On-Demand Manager is installed on your machine, and that your copy of Symantec On-Demand Manager is licensed with the Virtual Desktop module enabled. For information about licensing issues, or about how to install or configure the Symantec On-Demand Manager, see the Symantec On-Demand Administration Guide. Display the Partner Integration Button In previous releases, the On-Demand Manager displayed a Partner Integration button on the main Virtual Desktop page by default. Starting with the Symantec On-Demand 2.6 release, you must edit the On-Demand Manager s configuration file to display this button. To display the button: 1. Close the Symantec On-Demand Manager and navigate to the directory that contains the setup.xml file. The default location is C:\Program Files\Symantec\Symantec On-Demand\On- DemandAgent\setup.xml 2. Using any standard text editing application (Notepad, Wordpad, etc.) open setup.xml and locate the attribute APIIntegration and change its value from 0 to 1. 9

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 3. Save and close setup.xml. 4. Reopen the On-Demand Manager. The Partner Integration button should now be displayed. 10

Host Checker API Integration Procedure You need to perform two basic tasks in the On-Demand Manager to prepare files for integration with the NetScreen Secure Access appliance. Configure the Virtual Desktop to access the IP address or DNS-resolvable name of the appliance. Generate a.zip file to export the On-Demand module to the appliance. These tasks are described in detail in the rest of this section. Configure and Export Virtual Desktop URL In the Symantec On-Demand Manager, the Virtual Desktop page contains a Partner Integration button, which allows you to capture the policies you have specified and prepare the module for upload to the NetScreen Secure Access appliance. Please see the Symantec On- Demand Manager Administration Guide for information about how to create individual policies. 1. Launch the Symantec On-Demand Manager and click the plus sign (+) next to Location (Office in this example) to expand it. 2. Click Virtual Desktop. 3. Click the URL tab. 4. In the Success area of the URL tab, enter the IP address or DNS-resolvable name of the NetScreen Secure Access appliance s login page. (Don t forget to enter the s in https, and make sure that Set Cookie is not checked.). 11

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 5. Using the Virtual Desktop and Web Browser tabs, set up the On-Demand policies and rules that you want to export to the Juniper appliance. Remember to click Apply to save your settings. 6. Click the Partner Integration button to display the Export Virtual Desktop dialog. (If no Partner Integration button is displayed, see Display the Partner Integration Button on page 9. 12

Host Checker API Integration 7. Click the Generate Agent button. The Save dialog appears. 8. Enter the name of the.zip file to upload to the IVE (vd in this example) and click Save. 13

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Step 2: Use Juniper IVE Console to Upload Files This section describes how to upload the.zip file that contains the Virtual Desktop module to the NetScreen Secure Access appliance. A later section describes how to configure the appliance to deploy the module. Prerequisites The instructions that follow assume that the Juniper IVE has been configured according to the instructions in the appliance s installation guide and the NetScreen Instant Virtual Extranet Platform Administration Guide. Procedure Use the following procedure to upload.zip file for integration with the NetScreen Secure Access appliance: 1. Log on to the appliance as an administrator. 2. On the appliance s administration console, select Signing In Endpoint Host Checker. 3. In the Policies area of the Host Checker tab, click the New 3 rd Party Policy button. 4. On the New 3 rd Party Policy page, enter the name you want to give the new policy (vd in this example), browse to the.zip file s location (C:\Program 14

Host Checker API Integration Files\Symantec\Symantec On-Demand\On-Demand Agent - Juniper for a default installation) and select the file, and then click the Save Changes button. 15

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Step 3: Configure the NetScreen Secure Access Appliance This section describes how to configure the NetScreen Secure Access appliance to deploy the Symantec On-Demand Agent. Earlier sections described how to use the Symantec On- Demand Manager to configure the Virtual Desktop, create Agents, and how to upload the Agents to the NetScreen Secure Access appliance. Prerequisites The instructions that follow assume that the NetScreen Secure Access appliance and the Juniper IVE have been installed and configured according to the instructions in the appliance s installation guide and the NetScreen Instant Virtual Extranet Platform Administration Guide. Procedures You need to perform three basic tasks to configure the NetScreen Secure Access appliance to deploy the Symantec On-Demand Agent: Create a User Authentication Realm. Link the User Authentication Realm to the default Sign-in URL (*/). Configure Host Checker to point to the uploaded On-Demand Agent zipfile. 16

Host Checker API Integration Create the Authentication Realm 1. Log on to the appliance as an administrator. 2. On the appliance s Central Manager console, click Users Authentication to display the User Authentication Realms page. 3. Click New to display the New Authentication Realms page. 17

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 4. Enter the name (API Realm in this example) in the Name box, and in the Servers list, select the name of the authentication server (such as LDAP or local Juniper server, called spring in this example) that you will use to authenticate your users. Click Save Changes. 18

Host Checker API Integration Configure the Sign-in URL 1. On the appliance s Central Manager console, click System Signing In to display the Signing In page. 19

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 2. Click */ in the User URLs list to display the Signing In */ page: 3. Select Default Sign-in from the Sign-in Page list. Then select User picks from a list of authentication realms, and use the Add button to add API Realm to the selected realms. Click Save Changes. 20

Host Checker API Integration Configure the Host Checker and Role Mappings 1. Log on to the appliance as an administrator. 2. On the appliance s Central Manager console, click Users Authentication API Realm Authentication Policy Host Checker to display the Host Checker page. 3. In the Available Policies list, click Require and Enforce for both vd and vd.vsdcheck. During the upload process, the IVE creates two policies: one with just the name you specified for the.zip file and one that appends.vsdcheck to the end of that name. It is important that you select Require and Enforce for both policies. 4. Click Save Changes to save your changes. 21

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 5. Click the Users Authentication API Realm Role Mapping tab to display the Role Mapping screen. 22

Host Checker API Integration 6. Click New Rule to display the Role Mapping Rule screen. 7. Enter a name for the rule (optional), and then enter an asterisk (wild card) in the Rule: If Username is box. This will cause all users to be routed to the specified roles. 8. In the Then assign these roles area, use the Add button to add the roles (JSAM and NC) that you created in the Secure Application Manager and Network Connect Roles section on page 5 of this document. 23

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 9. Click Save Changes. The API Realm screen is displayed. 10. Select User must select from among assigned roles, and click Save Changes. For more information about creating and configuring realms and user roles, see the NetScreen Instant Virtual Extranet Platform Administration Guide. 24

Custom User Interface Integration Step 1: Use Symantec On-Demand Manager to Create Files This section describes how to use the Symantec On-Demand Manager to configure the Virtual Desktop, Host Integrity and Cache Cleaner modules. Later sections describe how to upload the modules to the NetScreen Secure Access appliance and how to configure the appliance to deploy them. Prerequisites Symantec The instructions that follow assume that the Symantec On-Demand Manager is installed on your machine, and that your copy of the Symantec On-Demand Manager is licensed with the Host Integrity and Virtual Desktop modules enabled. For information about licensing issues, or about how to install or configure the Symantec On-Demand Manager, see the Symantec On-Demand Administration Guide. Juniper You must have an Advanced license for your Juniper SSL VPN appliance. Procedures You need to perform three basic tasks in the On-Demand Manager to prepare files for integration with the NetScreen Secure Access appliance: Configure the On-Demand module(s) to access the IP address or DNS-resolvable name of the appliance. Each module can point to a different sign-in page if desired. Set and apply policies for each module. Generate.zip files to export the On-Demand module(s) to the appliance. These tasks are described in detail below. 25

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Configure URLs 1. Launch the Symantec On-Demand Manager and click the + sign next to Location (Office in this example) to expand it. 2. Click the module you want to export (Virtual Desktop in this example). 3. Click the URL tab. 4. In the Success area of the URL tab, enter the IP address or DNS-resolvable name of the NetScreen Secure Access appliance s login page. (Don t forget to enter the s in https, and make sure that Set Cookie is not checked.). In this example the URL is composed of the appliance s IP address and the /vd/ extension. You will use this URL later when you create the Secure sign-in policy on the NetScreen Secure Access appliance. See Create Secure Sign-in Policy on page 50 for more information. 5. Using the Virtual Desktop and Web Browser tabs, set up the On-Demand policies and rules that you want to export to the Juniper appliance. Remember to click Apply to save your settings. 6. Repeat steps 2 through 5 for each module for which you want to specify a URL. Please note that you cannot use the same URL extension (/vd/ in this example) for the other modules. Each module you configure must have a different extension. For further information about setting up URLs for locations, see the Setting the Success and Failure URLs section of the Symantec On-Demand Manager Administration Guide. 26

Custom UI Integration Set Up Policies for Export When you use the Custom UI integration method, you can specify policies for all of the Symantec On-Demand modules and prepare them for upload to the NetScreen Secure Access appliance. You can specify different policies for each of your locations. Please see the Symantec On-Demand Manager Administration Guide for detailed information about how to create policies. 1. Launch the Symantec On-Demand Manager and click the + next to the desired location (Office in this example) to expand it. 2. Click Host Integrity, Virtual Desktop, or Cache Cleaner (Virtual Desktop in this example) and specify the policies you want to enforce on endpoint machines in this location. 3. Click Apply to save your settings. 4. Continue specifying policies for the other modules as desired. Remember to click Apply to save your settings before exiting each tab. 27

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Step 2: Create Custom UI and Upload Files to Appliance This section describes how to upload the.zip files that contain the Symantec On-Demand Agent (SOA) to the NetScreen Secure Access appliance. A later section describes how to configure the appliance to deploy the SOA. Prerequisites The instructions that follow assume that the NetScreen Secure Access appliance and the Juniper IVE have been installed and configured according to the instructions in the appliance s installation guide and the NetScreen Instant Virtual Extranet Platform Administration Guide. The instructions also assume that roles (JSAM and NC) have already been created on the NetScreen Secure Access appliance. Please see Secure Application Manager and Network Connect Roles on page 5 for instructions on how to create these roles. Procedures You need to perform three basic tasks create and upload.zip files containing the Symantec On-Demand Agent for integration with the NetScreen Secure Access appliance: Create a custom UI from a template. Edit the custom UI to point to the Symantec files. Upload the custom UI. These three tasks are described in the rest of this section. 28

Custom UI Integration Create Custom UI NOTE: if you are upgrading from a previous version of the IVE, you may prefer to edit your pre-5.0.zip file instead of downloading and customizing a new one. To do so, please skip the instructions below and proceed to Edit Pre-5.0 ZIP File Contents for instructions. 1. Log on to the appliance as an administrator. 2. Click System Signing In, and then click the Sign-In Pages tab. 3. Click Upload Custom Pages to display the Custom Sign-In Pages screen. 4. In the Sample Template Files area, click Sample and follow the prompts to save the sample template.zip file (called Sample.zip) to a location where you can access it later. 5. Extract the files from Sample.zip. 29

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Edit Custom UI Note: For specific information on exactly how to edit files in the.thtml format, please see Create Custom Sign-In Pages in the NetScreen Instant Virtual Extranet Platform Administration Guide. 1. Navigate to the location in which you saved the sample template.zip file (Sample.zip). 2. Extract the files from Sample.zip. 3. Using any text or HTML editor, open the file LoginPage.thtml (one of the files you extracted from Sample.zip) and perform these general steps. Locate and remove the User Name and Password fields. Replace User Name and Password with the following html code: <a href= On-DemandAgent/index.htm >Run the Symantec On-Demand Agent</a>. Locate and remove the code that displays the Submit button. Locate the code that displays the message This is the custom sign-in page for the demo!! and replace it with text you want to display to users when this page is displayed (optional). Save and close LoginPage.thtml. 4. Locate the On-DemandAgent folder that you created in Set Up Policies for Export on page 27 and copy it into the same directory as the unzipped files from Sample.zip. 5. Rezip the files from Sample.zip along with the On-DemandAgent folder. Note: make sure that the html files from Sample.zip are located at the root level of the new zip file you create. Otherwise the NetScreen Secure Access appliance will be unable to locate these files within the.zip file and the upload procedure will fail. 6. Rename the.zip file to any name you choose. 30

Custom UI Integration Edit Pre-5.0 ZIP File Contents If you are upgrading your Custom UI from a previous version of the IVE, you may prefer to edit your pre-5.0.zip file instead of downloading and customizing a new one. To do so, follow the instructions below. 1. Unzip the old zip file 2. Delete the LoginPage-ppc.thtml 3. Edit the LoginPage.thtml to add the following text as the very FIRST line: <%# NetScreen Page Version 1001 %> 4. Edit the LoginPage.thtml to add the following snippet anywhere in the page, except in a comment: <% IF 0 %> <% prompts %> <% END %> 5. Zip up all the pages and associated objects. 6. Upload this zip file to the IVE appliance. 31

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Upload Custom UI 1. Log on to the appliance as an administrator. 2. Click System Signing In, then click the Sign-in Pages tab. 3. Click Upload Custom Pages. 4. In the Sign-In Pages area, enter a name in the Name box (Sygate Virtual Desktop in this example). This is the name that will be used later when you configure the Insecure sign-in policy. See Create Insecure Sign-In Policy on page 48 for further information. 5. In the Sign-In Pages area s Templates File box, use the Browse button to locate and specify the zip file that contains your custom UI files. 6. Click skip validation checks during upload. The file may fail to upload if you do not check this box. 7. Click Upload Custom Pages. When the upload is complete, your.zip file name will be displayed below the Templates File box. 32

Custom UI Integration Step 3: Configure the NetScreen Secure Access Appliance This section describes how to configure the NetScreen Secure Access appliance to deploy the Symantec On-Demand modules. Earlier sections described how to use the Symantec On-Demand Manager to configure the modules, set policies, and create and upload a custom UI. Prerequisites The instructions that follow assume that the NetScreen Secure Access appliance and the Juniper IVE have been installed and configured according to the instructions in the appliance s installation guide and the NetScreen Instant Virtual Extranet Platform Administration Guide. Procedures To use the Symantec On-Demand Agent to provide secure user access to the IVE, the On- Demand Agent needs to be made accessible from the IVE sign-in pages. You need to perform four basic tasks in the IVE to make this possible: Configure Host Checker to ensure the On-Demand Agent is running Create and configure two realms (one insecure and one secure ) Create two sign-in policies (an insecure one that provides endpoints with access to the Agent, and a secure one that allows endpoints that meet Host Checker criteria to access your network). Implement the Secure sign-in policy. These tasks are described in detail in the rest of this section. 33

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Configure Host Checker Policy Host Checker needs to check to see if the On-Demand Agent is running. To do this, you need to configure Host Checker to check for different conditions depending on which On- Demand modules you uploaded: Modules Configured Virtual Desktop only Host Integrity only Cache Cleaner only Virtual Desktop and Host Integrity Cache Cleaner and Host Integrity Checks cclient.exe process is running HKEY_CURRENT_USER\SSPisRunning key exists type: DWORD value: 1 HKEY_CURRENT_USER\HIisRunning key exists type: DWORD value: 1 cclient.exe process is running cclient.exe process is running HKEY_CURRENT_USER\SSPisRunning key exists type: DWORD value: 1 cclient.exe process is running HKEY_CURRENT_USER\HIisRunning key exists type: DWORD value: 1 In this example, we will create a Host Checker policy for the Virtual Desktop module. To create this policy, perform the following steps. 34

Custom UI Integration 1. Log on to the appliance as an administrator. 2. Go to Signing In Endpoint Host Checker. 35

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 3. Click the New button to display the New Host Checker Policy tab. 4. In the Policy Name box, enter the name you want to give to this policy (VD in this example) and click Continue to display the Host Checker Policy tab. 5. In the Rule Settings area, select Custom Rule: Process from the list and click Add. 36

Custom UI Integration 6. On the Add Custom Rule: Process page, enter cclient.exe in the Process Name field and click Required. 7. Click Save Changes. The Host Checker Policy page is displayed. 8. In the Rule Settings area, select Custom Check: Registry Setting from the list box and click Add. 37

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 9. On the Add Custom Rule: Registry Setting page, select HKEY_CURRENT_USER from the Registry Root Key list. 10. In the Name box, enter SSPisRunning. 11. In the Type list, select DWORD. 12. In the Value box, enter 1. Click Save Changes. 38

Custom UI Integration Create Two Different Realms You need to create two distinct user authentication realms: The Insecure realm. This realm maps users to the Insecure sign-in page, which is the On-Demand Agent deployment page created and uploaded using the Custom UI method. Note that this page does not allow users to directly sign into the IVE appliance. Instead, it allows users to download the On-Demand Agent and then access the IVE sign-in page that is associated with the Secure realm. The Secure realm. This realm maps users to the default login page. It uses Host Checker to check for the presence of the On-Demand Agent before allowing a user to submit credentials to the IVE for authentication. Create the Insecure Realm To create the Insecure realm, perform the following steps: 1. Log on to the appliance as an administrator. 2. Go to Users Authentication User Authentication Realms tab. 39

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 3. Click the New button to display the New Authentication Realm tab. 4. In the Name box, enter the name you plan to give to your insecure realm (InSecureVD in this example). 5. In the Authentication box in the Servers area, specify the desired authentication server (spring in this example). 6. Click Save Changes. 40

Custom UI Integration Create the Secure Realm To create the Secure realm, perform the following steps: 1. Log on to the appliance as an administrator. 2. Go to Users Authentication User Authentication Realms tab. 41

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 3. Click the New button to display the New Authentication Realm tab. 4. In the Name box, enter the name you plan to give to your secure realm (SecureVD in this example). 5. In the Authentication box in the Servers area, specify the desired authentication server (spring in this example). 6. Click Save Changes. 42

Custom UI Integration Configure the Secure Realm To configure the Secure realm, perform the following steps. Configure User Authentication Realms: Host Checker Tab 1. Log on to the appliance as an administrator. 2. Select User Authentication to display the User Authentication Realms page. 3. Click the SecureVD link, and then click Authentication Policy Host Checker to display the User Authentication Realms SecureVD page. 43

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 4. In the Available Policies list, select the policy name (VD in this example) that you created in the Configure Host Checker step. 5. Click Save Changes to save your changes. 44

Custom UI Integration Configure User Authentication Realms: Role Mapping Tab 1. Log on to the appliance as an administrator. 2. Select User Authentication to display the User Authentication Realms page. 3. Click the SecureVD link, and then click the Role Mapping tab to display the User Authentication Realms SecureVD page. 45

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide 4. Click the New Rule button to display the Role Mapping Rule page. 46

Custom UI Integration 5. Enter a name in the Name: box (optional). 6. In the Rule: If username s first dropdown, select is, and enter * (for all users) in the second. 7. Select the desired roles (JSAM and Network Connect) from the Available Roles: area and click Add-> to add them to the Selected Roles: list. 8. Click Save Changes. 47

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Create Two Different Sign-In Policies You need to create two distinct sign-in policies: The InsecureVD sign-in policy, which uses the Custom UI that contains the Symantec On-Demand Agent. These users map to the InsecureVD realm. The SecureVD sign-in policy, which requires that all users connecting to this URL must have the Symantec Virtual Desktop running, which is enforced by Host Checker. These users map to the SecureVD realm. Create Insecure Sign-In Policy 1. Log on to the appliance as an administrator. 2. Click System Signing In and then click the Sign-In Policies tab. 48

Custom UI Integration 3. Click New URL to display the New Sign-In Policy page. 4. In the User Type area, click Users. 5. In the Sign-in URL box, enter */. 6. Enter a description (optional). 7. In the Sign-In Page box, enter the name you gave to your custom sign-in page (Sygate Virtual Desktop in this example.) See Upload Custom UI on page 32 for more information. 8. In the Authentication Realm area, click User picks from a list of authentication realms. 9. In the Available Realms list, select InSecureVD and click Add to add it to the Selected Realms list. 10. Click Save Changes. 49

Symantec On-Demand 2.6/Juniper IVE 5.2 SSL VPN Integration Guide Create Secure Sign-in Policy 1. Log on to the appliance as an administrator. 2. Click System Signing In and then click the Sign-In Policies tab: 50

Custom UI Integration 3. Click New URL button to display the New Sign-In Policy tab. 4. In the User Type area, click Users. 5. In the Sign-in URL box, enter */urlname/ where /urlname/ is the name you assigned to the URL in the Symantec On-Demand Manager (/vd/ in this example). See Configure URLs on page 26 for more information. 6. Enter a description (optional). 7. In the Sign-In Page box, select Default Sign-In Page from the list. 8. In the Authentication Realm area, click User picks from a list of authentication realms. 9. In the Available Realms list, select SecureVD and then click Add to add it to the Selected Realms list. 10. Click Save Changes. 51